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These notes provide a quick introduction to the Coq system and show how it can be 
used to define logical concepts and functions and reason about them. It is designed as 
a tutorial, so that readers can quickly start their own experiments, learning only a few 
of the capabilities of the system. A much more comprehensive study is provided in jljj, 
which also provides an extensive collection of exercises to train on. 

1 Expressions and logical formulas 

The Coq system provides a language in which one handles formulas, verifies that they are 
well-formed, and proves them. Formulas may also contain functions and limited forms of 
computations are provided for these functions. 

The first thing you need to know is how you can check whether a formula is well- 
formed. The command is called Check. Here are a few examples, which use a few of the 
basic objects and types of the system. Commands are always terminated by a period. 

Check True . 
True : Prop 

Check False. 
False : Prop 

Check 3. 
3 : nat 

Check (3+4) . 
3 + 4 ■ 1^'^'^ 



Check (3=5) . 
3=5 : Prop 



Check (3,4) . 
(3,4) '• nat * nat 

Check ((3=5)/\True) . 
3 = 5 /\ True : Prop 
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Check nat -> Prop. 
nat -> Prop : Type 

Check (3 <= 6). 
3 <= 6 : Prop 

The notation A .B is uniformly used to indicate that the type of the expression A is the 
expression B. 

Among these formulas, some can be read as propositions (they have type Prop), others 
may be read as numbers (they have type nat), others may be read as elements of more 
complex data structures. You can also try to check badly formed formulas and in this 
case the Coq system returns an informative error statement. 

Complex formulas can be constructed by combining propositions with logical connec- 
tives, or other expressions with addition, multiplication, the pairing construct, and so on. 
You can also construct a new function by using the keyword fun, which replaces the A 
symbol of lambda calculus and similar theories. 

Check (fun x:nat => x = 3) . 

fun X : nat => x = 3 : nat -> Prop 

Check (forall x:nat, x < 3 \/ (exists y:nat, x = y + 3)). 
forall X : nat, x < 3 \/ (exists y : nat, x = y + 3) : Prop 

Check (let f := fun x => (x * 3,x) in f 3). 

let f := fun x : nat => (x * 3, x) in f 3 : nat * nat 

Please note that some notations are overloaded. For instance, the * sign is used both 
to represent conventional multiplication on numbers and the cartesian product on types. 
One can find the function hidden behind a notation by using the Locate command. 

Locate "_ <= _" . 

Notation Scope 

"x <= y" := le X y : nat_scope 

(default interpretation) 

The conditions for terms to be well-formed have two origins: first, the syntax must be 
respected (parentheses, keywords, binary operators must have two arguments); second, 
expressions must respect a type discipline. The Check command not only checks that 
expressions are well-formed but it also gives the type of expressions. For instance we can 
use the Check command to verify progressively that some expressions are well-formed. 

Check True . 
True : Prop 

Check False. 
False : Prop 
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Check and. 

and : Prop -> Prop -> Prop 

Check (and True False) . 
True /\ False : Prop 

In the last example, and is a function that expects an argument of type Prop and returns 
a function of type Prop -> Prop. It can therefore be applied to True, which has the 
right type. But the function we obtain expects another argument of type Prop and it can 
be applied to the argument False. The notation 

a -> b -> c 

actually stands for 

a -> ib -> c) 

and the notation fab actually stands for (/ a) b. 

The last example also shows that the notation /\ is an infix notation for the function 
and. 

Some constructs of the language have a notion of bound variable. Among the examples 
we have already seen, the forall and exists logical quantifiers and the fun function 
constructor and the let . . in local declaration have bound variables. When constructs 
have a bound variable, this variable can be used inside some part of the construct called 
the scope. The type is usually given exphcitly, but it may also sometimes be left untold, 
and the Coq system will infer it. 

You can also require to evaluate an expression. This actually means that some sym- 
bolic computation is performed on this formula, and there are several kind of strategies to 
perform this symbolic computation. One strategy is called compute, here is an example 
of evaluation: 

Eval compute in 

let f := fun x => (x * 3, x) in f 3. 
= (9, 3) : nat * nat 

After executing this command, the function f is not defined, it was just defined tem- 
porarily inside the expression that was evaluated. Here f can be used only inside the 
expression f 3. 

At this point, you should be able to perform exercise 2.5 from |1] taking all numbers 
in the type nat. 

Exercise 2.5 Write a function that takes five arguments and returns their sum. 

2 Defining new constants 

You can define a new constant by using the keyword Definition. Here is an example: 
Definition examplel := fun x : nat => x*x+2*x+l. 
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An alternative, exactly equivalent, definition could be: 
Definition examplel (x : nat) := x*x+2*x+l. 

After executing one of these commands, the function can be used in other commands: 

Check examplel. 
examplel : nat -> nat 

Eval compute in example 1 . 
= 4 : nat 

3 Propositions and proofs 

The notation A:B is actually used for several purposes in the Coq system. One of these 
purposes is to express that A is a proof for the logical formula B. This habit is usually 
referred to under the name Curry-Howard Isomorphism. In accordance to this principle, 
Prop is actually a type whose elements are themselves types. True formulas are formulas 
that can be proved, in other words, types, in which we know how to construct elements. 
False formulas are types, in which there is no way to construct elements. 

To construct proofs of formulas, we simply look for existing proofs or use functions 
to construct elements of a type from elements of other types. 

3.1 Finding existing proofs 

One can find already existing proofs of facts by using the Search command. Its argument 
should always be an identifier. 

Search True. 
I : True 
Search le. 

le_n : forall n : nat, n <= n 

le_S : forall n m : nat, le n m -> le n (S m) 

The theorem le_S uses a function S, this function maps any natural number to its suc- 
cessor. ActuaUy, the notation 3 is only a notation for S (S (SO)). 

New theorems can be loaded from already proven packages using the Require com- 
mand. For example, for proofs in arithmetics, it is useful to load the following packages: 

Require Import Arith Omega. 
Search le. 

hetu]een_le: forall (P : nat -> Prop) (k I : nat), 

between P k I -> k <= I 
exists_ le_S: 

forall (Q : nat -> Prop) (k I : nat), 
exists_between Q k I -> S k <= I 

plus_le_reg_l : forall n m p : nat, p + n <= p + m -> n <= m 
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plus_le_compat_l : forall n m p : nat, n <= m -> p + n <= p + m 
plus_le_compat_r: forall n m p : nat, n <= m -> n + p <= m + p 
le_plus_l : forall n m : nat, n <= n + m 

The command SearchPattern takes a pattern as argument, where some of the ar- 
guments of a predicate can be replaced by incomplete expressions (we use a special 
anonymous variable _ to represent holes in incomplete expressions) . 

SearchPattern (_+_<=_+_). 

plus_le_compat_l : forall n m p: nat, n <= m -> p + n <= p + m 

plus_le_compat_r: forall n m p: nat, n <= m -> n + p <= m + p 

plus_le_compat : forall n m p q: nat, n <= m -> p <= q -> n + p <= m + q 

The command SearchRewrite is similar, but it only looks for rewriting theorems, that 
is, theorems where the proved predicate is an equality. The listed theorems are those for 
which the pattern fits one of the members of the equality in the conclusion. 

SearchRewrite (_ + (_-_)). 

le_plus_minus : forall n m : nat, n <= m -> m = n + (m - n) 
le_plus_minus_r : forall n m : nat, n <= m -> n + (m - n) = m 



3.2 Constructing new proofs 

A theorem that proves an implication A ^ B actually is an expression whose type is a 
function type A -> B (in other words, an arrow type). Such a function (let's call it /) 
can be applied to a term x of type A. Prom the logical point of view, when applying the 
function to the argument to form / we actually deduce that B holds from the proofs 
that A and A -> B hold. This corresponds to what is usually known as modus ponens. 

A theorem that proves a universal quantification is also a function. It can also be 
applied to an argument of the right type. For instance, if the theorem t is a proof of 
\/x : A, P X and a has type A, then we can apply t to A. The resulting expression, t a, 
has the type P a. From the logical point of view, this corresponds to producing a new 
proof for the statement where the universal quantification is instantiated. Here are a few 
examples, where theorems are instantiated and a modus ponens inference is performed: 

Check le_n. 

le_n : forall n:nat n <= n 

Check (le_n 0) . 
le_n : <= 

Check (le_S 0) . 

le_S 1 : <= -> <= 1 

Check (le_S (le_n 0)). 
le_S (le_n 0) : <= 1 
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New theorems could be constructed this way by combining existing theorems and using 
the Definition keyword to associate these expressions to constants. But this approach is 
seldom used. The alternative approach is known as goal directed proof, with the following 
type of scenario: 

1. the user enters a statement that he wants to prove, using the command Theorem 
or Lemma, 

2. the Coq system displays the formula as a formula to be proved, possibly giving a 
context of local facts that can be used for this proof (the context is displayed above 
a horizontal line, the goal is displayed under the horizontal line) , 

3. the user enters a command to decompose the goal into simpler ones, 

4. the Coq system displays a hst of formulas that still need to be proved, 

5. back to step 3. 

Some of the commands sent at step 3 actually decrease the number of goals. When there 
are no more goals the proof is complete, it needs to be saved, this is performed when the 
user sends the command Qed . The commands that are especially designed to decompose 
goals into collections of simpler goals are called tactics. 
Here is an example: 

Theorem example2 : forall a b:Prop, a /\ b -> b /\ a. 
1 subgoal 



forall a b : Prop, a /\ b -> b /\ a 

Proof . 

intros a b H. 
1 subgoal 

a : Prop 
b : Prop 
H : a A b 



b A a 

split . 

2 subgoals 

H : a A b 



b 

subgoal 2 is: 
a 
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elim H; intros HO HI. 



HO : a 
HI : b 



b 

exact HI . 
1 subgoal 

H : a /\ b 



a 

intuition. 
Proof completed. 

Qed. 

intros a b H. 
split. 

elim H; intros HO HI. 
exact HI . 

intuition. 
example2 is defined 

This proof uses several steps to decompose the logical processing, but a quicker dialog 
would simply rely on the automatic tactic intuition directly from the start. There is an 
important collection of tactics in the Coq system, each of which is adapted to a shape of 
goal. For instance, the tactic elim H was adapted because the hypothesis H was a proof of 
a conjunction of two propositions. The effect of the tactic was to add two implications in 
front of the goal, with two premises asserting one of the propositions in the conjunction. 
It is worthwhile remembering a collection of tactics for the basic logical connectives. We 
list these tactics in the following table, inspired from the table in [I] (p. 130). 
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When using the tactic elim or case, this usually creates new facts that are placed in 
the result goal as premises of newly created implications. These premises must then 
be introduced in the context using the intros tactic. A quicker tactic does the two 
operations at once, this tactic is called destruct. 

A common approach to proving difficult propositions is to assert intermediary steps 
using a tactic called assert. Given an argument of the form (H : P) , this tactic yields 
two goals, where the first one is to prove P, while the second one is to prove the same 
statement as before, but in a context where an hypothesis named H and with the statement 
P is added. 

Some automatic tactics arc also provided for a variety of purposes, intuition is often 
useful to prove facts that are tautologies in first-order intuitionistic logic (try it whenever 
the proof only involves manipulations of forall quantification, conjunction, disjunction, 
and negation); auto is an extensible tactic that tries to apply a collection of theorems 
that were provided beforehand by the user, eauto is like auto, it is more powerful but 
also more time-consuming, ring mostly does proofs of equality for expressions containing 
addition and multiplication, omega proves systems of linear inequations. To use omega 
you first need to require that Coq loads it into memory. An inequation is linear when it 
is of the form A < B or A < B, and A and B are sums of terms of the form n* x, where 
X is a variable and n is a numeric constant, 1, 3, -15, etcetera). The tactic omega can 
also be used for problems, which are instances of systems of linear inequations. Here is 
an example, where f x is not a linear term, but the whole system of inequations is the 
instance of a linear system. 

Require Import Omega. 

Lemma omega_exainple : 

forall fxy, 0<x->0<fx->3*fx<=2*y->fx<=y. 
intros; omega. 
Qed. 
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One of the difficult points for newcomers is that the Coq system also provides a type 
bool with two elements called true and false, but traditionally does not use these 
boolean values to represent the difference between provable and unprovable propositions. 
The type bool is just a two-element type that may be used to model the boolean types 
that one usually finds in programming languages and the value attached to its two el- 
ements is purely conventional. In general, a proposition is represented as a type, and 
the fact that this proposition holds is represented by the existence of an element in this 
type. In practice, the proposition (which is a type) cannot be used as a boolean value, 
for instance in a conditional statement, and a boolean value, which is atomic and not a 
type, cannot contain a proof. In some cases, the two points of view can be reconciled, 
especially in proof by reflexion, but we will not cover this topic in this tutorial. 

At this point, you should be able to perform the following two exercises. 

Exercise 5.6 (from [Ij) Prove the following theorems: 

forall A B CiProp, A/\(B/\C)^ (A/\B)/\C 

forall A B C D: Prop, (A->B)/\(C^D)/\A/\C B/\D 

forall A: Prop, ~(A/\~A) 

forall ABC: Prop, A\/(B\/C)^(A\/B)\/C 

forall A: Prop, ~~(A\/~A) 

forall A B: Prop, (A\/B)/\~A B 

Two benefits can be taken from this exercise. In a ffist step you should try using 
only the basic tactics given in the table page [SI In a second step, you can verify 
which of these statements are directly solved by the tactic intuition. 

Universal quantification Prove 

forall A: Set, forall P Q:A^Prop, 

(forall X, P x)\/(forall y, Q y)^forall x, P x\/Q x. 

4 Inductive types 

Inductive types could also be called algebraic types or initial algebras. They are defined 
by providing the type name, its type, and a collection of constructors. They are often 
used to model data-structures. Inductive types can be parametrized and dependent. We 
will mostly use parametrization to represent polymorphism and dependence to represent 
logical properties. 

4.1 Defining inductive types 

Here is an example of an inductive type definition: 

Inductive bin : Set := 

L : bin 
I N : bin -> bin -> bin. 
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This defines a new type bin, whose type is Set, and provides two ways to construct 
elements of this type: L (a constant) and N (a function taking two arguments). The Coq 
system automatically associates a theorem to this inductive type. This theorem makes 
it possible to reason by induction on elements of this type: 

Check bin_ind. 
bin_ znd 

: forall P : bin -> Prop, 
P L -> 

(forall b : bin, 

P b -> forall bO : bin, P bO -> P (N b bO)) -> 
forall b : bin, P b 

The induction theorem associated to an inductive type is always named name_ind. 

4.2 Pattern matching 

Elements of inductive types can be processed using functions that perform some pattern- 
matching. For instance, we can write a function that returns the boolean value false 
when its argument is N L L and returns true otherwise. 

Definition examples (t : bin): bool := 

match t with N L L => false I _ => true end. 

4.3 Recursive function definition 

There are an infinity of different trees in the type bin. To write interesting functions with 
arguments from this type, we need more than just pattern matching. The Coq system 
provides recursive programming. The shape of recursive function definitions is as follows: 

Fixpoint flatten_aux (tl t2:bin) {struct tl} : bin := 
match tl with 

L => N L t2 I N t'l t'2 => flatten.aux t'l (flatten.aux t'2 t2) 
end. 

Fixpoint flatten (t:bin) : bin := 
match t with 

L => L I N tl t2 => flatten.aux tl (flatten t2) 
end. 

Fixpoint size (t:bin) : nat := 
match t with 

L => 1 I N tl t2 => 1 + size tl + size t2 
end. 

There are constraints in the definition of recursive definitions. First, if the function has 

more than one argument, wc must declare one of these arguments as the principal or 
structural argument (we did this declaration for the function f latten_aux). If there is 
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only one argument that belongs to an inductive type, then this argument is the principal 
argument by default. Second, every recursive call must be performed so that the principal 
argument of the recursive call is a sub-term, obtained by pattern-matching, of the initial 
principal argument. This condition is satisfied in all the examples above. 

In computation, recursive function are easy to simplify when their structural argument 
has the form of a constructor, as appears in the following case: 

Eval compute in flatten_aux (N L L) L. 
= N L (N L L) : bin 

4.4 Proof by cases 

Now, that wc have defined functions on our inductive type, wc can prove properties of 
these functions. Here is a first example, where we perform a few case analyses on the 
elements of the type bin. 

Theorem example3_size : 

forall t, examples t = false -> size t = 3. 
Proof . 

intros t; destruct t. 
2 subgoals 



examples L = false -> size L = 3 

subgoal 2 is: 
examples (N tl t2) = false -> size (N tl t2) = 3 

The tactic destruct t actually observes the various possible cases for t according to the 
inductive type definition. The term t can only be either obtained by L, or obtained by N 

applied to two other trees tl and t2. This is the reason why there are two subgoals. 

Wc know the value that examples and size should take for the tree L. We can direct 
the Coq system to compute it: 

simpl . 

2 subgoals 



true = false -> 1 = 3 

After computation, we discover that assuming that the tree is L and that the value of 
examples for this tree is false leads to an inconsistency. We can use the following tactics 
to exploit this kind of inconsistency: 

intros H. 

H : true = false 



1=3 
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discriminate H. 
1 subgoal 



examples (N tl t2) = false -> size (N tl t2) = 3 

The answer shows that the first goal was solved. The tactic discriminate H can be used 
whenever the hypothesis H is an assumption that asserts that two different constructors of 
an inductive type return equal values. Such an assumption is inconsistent and the tactic 
exploits directly this inconsistency to express that the case described in this goal can 
never happen. This tactic expresses a basic property of inductive types in the sort Set 
or Type: constructors have distinct ranges. Another important property of constructors 
of inductive types in the sort Set or Type is that they are injective. The tactic to exploit 
this fact called injection (for more details about discriminate and injection please 
refer to [1] or the Coq reference manual [2]). 

For the second goal we still must do a case analysis on the values of tl and t2, we do 
not detail the proof but it can be completed with the following sequence of tactics. 

destruct tl. 
destruct t2. 
3 subgoals 



example3 (N L L) = false -> size (N L L) =3 

subgoal 2 is: 

example3 (N L (N t2_l t2_2)) = false -> 

size (N L (N t2_l t2_2) ) = 3 
subgoal 3 is: 

example3 (N (N tl_l tl_2) t2) = false -> 
size (N (N tl_l tl_2) t2) = 3 

For the first goal, we know that both functions will compute as we stated by the equality's 
right hand side. We can solve this goal easily, for instance with auto. The last two goals 
are solved in the same manner as the very first one, because examples cannot possibly 
have the value false for the arguments that are given in these goals. 

auto . 

intros H; discriminate H. 
intros H; discriminate H. 
Qed. 

To perform this proof, we have simply observed 5 cases. For general recursive functions, 
just observing a finite number of cases is not sufficient. We need to perform proofs by 
induction. 

At this point, you can perform a second part of our exercise on universal quantification. 
Exercise on universal quantification (follow-up) Prove the following theorem 
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"(forall A:Set,forall P C):A^Prop, 

(forall X, P x\/Q x)^(forall x, P x)\/(forall y, Q y) . 

Hint: think about a counter-example with the type bool and its two elements true and 
false, which can be proved different using discriminate. 

4.5 Proof by induction 

The most general kind of proof that one can perform on inductive types is proof by 
induction. 

When we prove a property of the elements of an inductive type using a proof by 
induction, we actually consider a case for each constructor, as we did for proofs by cases. 
However there is a twist: when we consider a constructor that has arguments of the 
inductive type, we can assume that the property we want to establish holds for each of 
these arguments. 

When we do goal directed proof, the induction principle is invoked by the elim tactic. 
To illustrate this tactic, we will prove a simple fact about the f latten_aux and size 
functions. 

Theorem f latten_aux_size : 

forall tl t2, size (flatten_aux tl t2) = size tl + size t2 + 1. 
Proof . 

intros tl; elim tl. 



forall t2 : bin, size (flatten_aux L t2) = size L + size t2 + 1 

subgoal 2 is: 
forall b : bin, 

(forall t2 : bin, size (flatten_aux b t2) = 

size b + size t2 + 1) -> 

forall bO : bin, 

(forall t2 : bin, size (flatten_aux bO t2) = 

size bO + size t2 + 1) -> 

forall t2 : bin, 

size (flatten_aux (N b bO) t2) = 
size (N b bO) + size t2 + 1 

There are two subgoals, the first goal requires that we prove the property when the first 
argument of f latten_aux is L, the second one requires that we prove the property when 

the argument is N b bO, under the assumption that it is already true for b and bO. The 
proof progresses easily, using the definitions of the two functions, which are expanded 
when the Coq system executes the simpl tactic. We then obtain expressions that can be 
solved using the ring tactic. 

intros t2. 
simpl . 
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S (S (size t2)) = S (size t2 + 1) 



ring. 

intros b IHb bO IHbO t2. 

IHb : forall t2 : bin, size (flatten_aux b t2) = 

size b + size t2 + 1 

bO : bin 

IHbO : forall t2 : bin, size (flatten_aux bO t2) = 

size bO + size t2 + 1 

t2 : bin 



size (flatten_aux (N b bO) t2) = size (N b bO) + size t2 + 1 
simpl . 



size (flatten_aux b (flatten_aux bO t2)) = 
S (size b + size bO + size t2 + 1) 

rewrite IHb. 



size b + size (flatten_aux bO t2) + 1 = 
S (size b + size bO + size t2 + 1) 

rewrite IHbO. 



size b + (size bO + size t2 + 1) + 1 = 
S (size b + size bO + size t2 + 1) 

ring. 

Proof completed. 
Qed. 

At this point, you should be able to perform your own proof by induction. 
Exercise on flatten and size Prove 

Theorem flatten_size : forall t, size (flatten t) = size t. 
4.6 Numbers in the Coq system 

In the Coq system, most usual data-types are represented as inductive types and pack- 
ages provide a variety of properties, functions, and theorems around these data-types. 
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The package named Arith contains a host of theorems about natural numbers (numbers 
from to infinity), which are described as an inductive type with (representing 0) and 
S as constructors. It also provides addition, multiplication, subtraction (with the special 
behavior that x - y is when x is smaller than y). This package also provides a tactic 
ring, which solves equalities between expressions modulo associativity and commutativ- 
ity of addition and multiplication and distributivity. For natural numbers, ring does not 
handle subtraction well, because of its special behavior. 

The package named ZArith provides two inductive data-types to represent integers. 
The first inductive type, named positive, follows a binary representation to model the 
positive integers (from 1 to infinity) and the type Z is described as a type with three 
constructors, one for positive numbers, one for negative numbers, and one for 0. The 
package also provides orders and basic operations: addition, subtraction, multiplication, 
division, square root. The tactic ring also works for integers (this time, subtraction 
is well supported) The tactic omega works equally well to solve problems in Presburger 
arithmetic for both natural numbers of type nat and integers of type Z. 

There is also a package QArith for rational numbers and a package Reals for real 
numbers. While the former is quite rudimentary, the latter is quite extensive, up to 
derivation and trigonometric functions, for instance. For these packages, a tactic field 
helps solving equalities between fractional expressions, and a tactic f ourier helps solving 
systems of linear inequations. 

4.7 Data-structures 

The two-element boolean type is an inductive type in the Coq system, true and false 
are its constructors. The induction principle naturally expresses that this type only has 
two elements, because it suffices that a property is satisfied by true and false to ensure 
that it is satisfied by all elements of bool. On the other hand, it is easy to prove that 
true and false are distinct. 

Most ways to structure data together are also provided using inductive data structures. 
The pairing construct actually is an inductive type, and elim can be used to reason about 
a pair in the same manner as it can be used to reason on a natural number. 

A commonly used data-type is the type of lists. This type is polymorphic, in the sense 
that the same inductive type can be used for lists of natural numbers, lists of boolean 
values, or lists of other lists. This type is not provided by default in the Coq system, it 
is necessary to load the package List using the Require command to have access to it. 
The usual cons function is given in Coq as a three argument function, where the first 
argument is the type of elements: it is the type of the second argument and the third 
argument should be a list of elements of this type, too. The empty list is represented by 
a function nil. This function also takes an argument, which should be a type. However, 
the Coq system also provides a notion of implicit arguments, so that the type arguments 
are almost never written and the Coq system infers them from the context or the other 
arguments. For instance, here is how we construct a list of natural numbers. 

Require Import List. 

Check (cons 3 (cons 2 (cons 1 nil))). 
3 : : 2 : : 1 : : nil : list nat 
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This example also shows that the notation : : is used to represent the cons function in 
an infix fashion. This tradition will be very comfortable to programmers accustomed 
to languages in the ML family, but Haskell addicts should beware that the conventions, 
between type information and cons, are inverse to the conventions in Haskell. 

The List package also provides a list concatenation function named app, with ++ as 
infix notation, and a few theorems about this function. 

5 Inductive properties 

Inductive types can be dependent and when they arc, they can be used to express logical 
properties. When defining inductive types like nat, Z or bool we declare that this constant 
is a type. When defining a dependent type, we actually introduce a new constant which 
is declared to be a function from some input type to a type of types. Here is an example: 

Inductive even : nat -> Prop := 

evenO : even 
I evenS : forall x:nat, even x -> even (S (S x)). 

Thus, even itself is not a type, it is even x, whenever x is an integer that is a type. 
In other words, we actually defined a family of types. In this family, not all members 
contain elements. For instance, we know that the type even contains an element, this 
element is evenO, and we know that even 2 contains an element: evenS evenO. What 
about even 1? If even 1 contains an element, this element cannot be obtained using 
evenO because 7^ 1, it cannot be obtained using evenS because 1 7^ 2 + a; for every x 
such that < X. Pushing our study of even further we could see that this type, seen as 
a property, is provable if and only if its argument is even, in the common mathematical 
sense. 

Like other inductive types, inductive properties are equipped with an induction prin- 
ciple, which we can use to perform proofs. The inductive principle for even has the 
following shape. 

Check even.ind. 

even_ind : forall P : nat -> Prop, 

P -> 

(forall X : nat, even x -> P x -> P (S (S x))) -> 
forall n : nat, even n -> P n 

This principle intuitively expresses that even is the smallest property satisfying the two 
constructors: it implies every other property that also satisfies them. A proof using this 
induction principle will work on a goal where we know that even y holds for some y 
and actually decomposes into a proof of two cases, one corresponding to the case where 
even y was obtained using evenO and one corresponding to the case where even y was 
obtained using evenS, applied to some x such that y=S (S x) and some proof of even y. 
In the second case, we again have the opportunity to use an induction hypothesis about 
this y. 

When a variable x satisfies an inductive property, it is often more efficient to prove 
properties about this variable using an induction on the inductive property than an 
induction on the variable itself. The following proof is an example: 
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Theorem even_mult : forall x, even x -> exists y, x = 2*y. 
Proof . 

intros x H; elim H. 
2 subgoals 

X : nat 
H : even x 



exists y : nat, = 2 * y 

subgoal 2 is: 
forall xO : nat, 

even xO -> (exists y : nat, xO = 2 * y) -> 
exists y : nat, S (S xO) = 2 * y 

exists 0; ring, 
intros xO HevenxO IHx. 

IHx : exists y : nat, xO = 2 * y 



exists y : nat, S (S xO) = 2 * y 

In the last goal, IHx is the induction hypothesis. It says that if xO is the predecessor's 
predecessor of x then we already know that there exists a value y that is its half. We can 
use this value to provide the half of S (S xO) . Here are the tactics that complete the 
proof. 

destruct IHx as [y Heq] ; rewrite Heq. 

exists (S y) ; ring. 

Qed. 

In this example, we used a variant of the destruct tactic that makes it possible to choose 
the name of the elements that destruct creates and introduces in the context. 

If wc wanted to prove the same property using a direct induction on the natural 
number that is even, we would have a problem because the predecessor of an even number, 
for which direct induction provides an induction hypothesis, is not even. The proof is 
not impossible but slightly more complex: 

Theorem even_mult' : forall x, even x -> exists y, x = 2* y. 
Proof . 
intros x. 

assert (lemma: (even x -> exists y, x=2*y)/\ 
(even (S x) -> exists y, S x=2*y)). 

elim X. 
split . 

exists 0; ring. 

intros Hevenl ; inversion Hevenl . 
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intros xO IHxO; destruct IHxO as [IHxO IHSxO] . 
split . 

exact IHSxO. 

intros HevenSSxO. 

assert (HevenxO : even xO) . 

inversion HevenSSxO; assumption. 

destruct (IHxO HevenxO) as [y Heq] . 

rewrite Heq; exists (S y) ; ring. 

intuition. 

Qed. 

This script mostly uses tactics that we have already introduced, except the inversion 
tactic. Given an assumption H that relies on a dependent inductive type, most frequently 
an inductive proposition, the tactic inversion analyses all the constructors of the in- 
ductive, discards the ones that could not have been applied, and when some constructors 
could have applied it creates a new goal where the premises of this constructor are added 
in the context. For instance, this tactic is perfectly suited to prove that 1 is not even: 

Theorem not_even_l : "even 1. 
Proof . 

intros evenl . 
evenl : even 1 



False 

inversion evenl . 
Qed. 

This example also shows that the negation of a fact actually is represented by a function 
that says "this fact implies False". 

Inductive properties can be used to express very complex notions. For instance, 
the semantics of a programming language can be defined as an inductive definition, using 
dozens of constructors, each one describing a kind of computation elementary step. Proofs 
by induction with respect to this inductive definition correspond to what Wynskel calls 
rule induction in his introductory book on programming language semantics [3] . 

6 Exercises 

Most of the exercises proposed here are taken from |lj. We also repeat exercises that 
were already given in the text. 

Exercise 2.5 Write a function that takes five arguments and returns their sum. 
Exercise 5.6 Prove the following theorems: 

forall A B C:Prop, A/\(B/\C)^ (A/\B)/\C 
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forall A B C D: Prop, (A^B)/\(C^D)/\A/\C B/\D 

forall A: Prop, ~(A/\~A) 

forall ABC: Prop, A\/(B\/C)^(A\/B)\/C 

forall A: Prop, ~~(A\/~A) 

forall A B: Prop, (A\/B)/\~A B 

Two benefits can be taken from tliis exercise. In a first step you should try using 
only the basic tactics given in the table page [HI In a second step, you can verify 
which of these statements are directly solved by the tactic intuition. 

Universal quantification Prove 

forall A: Set, forall P Q:A^Prop, 

(forall X, P x)\/(forall y, Q y)^forall x, P x\/Q x. 
"(forall A: Set, forall P q:A^Prop, 

(forall X, P x\/Q x)^(forall x, P x)\/(forall y, Q y) . 

Hint: for the second exercise, think about a counter-example with the type bool 
and its two elements true and false, which can be proved different, for instance. 

Exercise 6.32 The sum of the first n natural numbers is defined with the following 
function: 

Fixpoint sum_n (n:nat) : nat := 

match n with 0=>0 I Sp=>Sp+ sum_n p end. 

Prove the following statement: 

forall n:nat, 2 * sum_n n = n*n + n 

Sum of powers Define a recursive function nat_power. Find in the Coq documenta- 
tioiij how to attach the notation x"y to this function. Then define a summation 
function that makes it possible to compute 

n 
A;=0 

Prove the following theorem: 

n 

Wx n : nat, I < x ^ {x - l)^ = x^^^ - 1. 

fc=0 

To perform this exercise, we suggest you first prove an equivalent statement where 
no subtraction occurs (by induction over n, using simpl ring, and simpl to perform 
the computational steps). You can then switch to the statement with subtractions 
using the known theorems mult_reg_l and le_plus_minus. 

http : //cog. inria.f r/| 
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Square root of 2 If = 2g^, then (2g — p)^ = 2{p — g)^, now if p is the least positive 
integer such that there exists a positive integer q such that p/q = V^, then p > 
2q — p > 0, and (2g — p)/{p — q) = V^- This is a contradiction and a proof that 
\/2 is not rational Use Coq to verify a formal proof along these lines (use Z as the 
type of numbers). 

Sum of powers revisited Try to redo this exercise with other number types, like Z, R, 
where powers and summations may already be defined and the condition 1 < a; can 
usually be replaced by another condition. 



7 Solutions 

The solutions to the numbered exercises are available from the Internet (on the site 
associated to the reference [1]). The short proof that \/2 is not rational is also available 
on the InternelE] 

7.1 Universal quantification 

Here are the solutions to the exercises on universal quantification. 

Theorem exl : 

forall A: Set, forall P Q:A->Prop, 

(forall X, P x) \/ (forall y, Q y) -> forall x, P x \/ Q x. 
Proof . 
intros A P Q H. 
elim H. 

intros HI; left; apply HI. 
intros H2; right; apply H2. 
Qed. 



Theorem ex2 : 

"(forall A: Set, forall P Q:A->Prop, 

(forall X, P X \/ Q x) -> (forall x, P x) \/ (forall y, Q y) ) . 
Proof . 

intros H; elim (H bool (fun x:bool => x = true) 

(fun x:bool => x = false)), 
intros HI; assert (H2: false = true). 

apply HI. 
discriminate H2. 

intros HI; assert (H2:true = false). 

apply HI. 
discriminate H2. 
intros x; case x. 
left; reflexivity. 
right; reflexivity. 
Qed. 

" http : //cocor ico . cs . ru . nl/coqwiki/SquareRootTwo| 
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7.2 flatten 



Here is the solution to the exercise on flatten and size (this re-uses the lemma 
f latten_aux_size proved in these notes). 

Theorem flatten_size : forall t, size (flatten t) = size t. 
Proof . 

intros t; elim t. 
simpl. reflexivity. 

intros tl IHl t2 IH2; simpl. rewrite f latten_aux_size . rewrite IH2. ring. 
Qed. 

7.3 Sum of powers 

Here is a condensed solution to the exercise on the sum of powers: 
Require Import Arith Omega. 

Fixpoint nat_power (n m:nat) {struct m} : nat := 

match m with => 1 I S p => n*n"p end 
where "n " m" := (nat_power n m) . 

Fixpoint sum_f (f :nat->nat) (n:nat) : nat := 

match n with => f I S p => f (S p)+sum_f f p end. 

Lemma mult_0_inv : forall x y, x*y=0->x=0\/y=0 . 
intros x; case x; simpl; auto. 

intros x' y; case y; simpl; auto; intros; discriminate. 
Qed. 

Lemma power_0_inv : forall xn, x"n=0->x=0. 

intros x n; elim n. 

simpl; intros; discriminate. 

intros n' IH H; case (mult_0_inv x (x " n') H) ; subst; auto. 
Qed. 

Lemma sum_of _powersl : forall x n, 

x*suin_f (nat_power x) n + 1 = x" (n+l)+sum_f (nat_power x) n. 
intros x n; elim n; simpl; repeat rewrite mult_l_r; auto, 
simpl; intros p IH; rewrite mult_plus_distr_l; rewrite <- plus_assoc; 
rewrite IH; rewrite <- (plus_comm 1); simpl; ring. 
Qed. 

Lemma sum_of _powers : forall x n, 1 <= x -> 

(x-l)*sum_f (nat_power x) n = x~(n+l)-l. 
intros x n Hx; apply plus_reg_l with (l*sum_f (nat_power x) n) . 
rewrite <- mult_plus_distr_r ; rewrite <- le_plus_minus ; auto, 
apply plus_reg_l with 1 . 

assert (H' : 1 +(l*sum_f (nat_power x) n+ (x" (n+1) -1) )= 
l*sum_f (nat_power x) n + (l+Cx" (n+l)-l) ) ) . 
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ring. 

rewrite H' ; clear H' ; rewrite <- le_plus_niiiius . 
rewrite (plus_comm 1); rewrite sum_of _powersl ; ring, 
case (zerop (x~(n+l))); auto. 

intros H; assert (x = 0) . apply (power_0_inv _ _ H) . omega. 
Qed. 

Require Import ZArith. Open Scope Z_scope. 

Fixpoint Zsum_f (f :nat->Z) (n:nat) : Z := 

match n with 0°/onat => f 07onat | S p => f (S p)+Zsum_f f p end. 

Theorem Zsum_of _powers : forall x n, 

(x-l)*Zsum_f (fun n =>Zpower x (Z_of_nat n) ) n = x"(Z_of_nat n+l)-l. 
intros x n; elim n. 

unfold Zsum_f, Z_of_nat; simpl (0+1); ring, 
intros p IHp. 

assert (Hinz : (Z_of_nat (S p) )=(l+Z_of _nat p)). 
rewrite inj_S; unfold Zsucc; ring. 

unfold Zsum_f ; fold Zsum_f ; rewrite Hinz; repeat rewrite Zpower_exp; 
try (rewrite Zmult_plus_distr_r ; rewrite IHp) ; 
repeat rewrite Zpower_exp; auto with zarith; ring. 
Qed. 

Require Import Reals. Open Scope R_scope. 

Fixpoint Rsum_f (f :nat->R) (n:nat) : R := 
match n with 0°/onat => f 07„nat | S p => f (S p)+Rsum_f f p end. 

Lemma Rsum_of _powers : forall x n, (x-l)*Rsum_f (pow x) n = x"(n+l)-l. 
intros x n; elim n. 
simpl; ring. 

intros p IHp; simpl; rewrite Rmult_plus_distr_l ; rewrite IHp. 

rewrite pow_add; ring. 

Qed. 
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